14 DAY TRIAL // Zero interaction was needed in a proof-of-concept video released by Lookout, a cyber-security vendor specialized in mobile device security.
The guilty party in the video is called Shedun (also known as GhostPush), a trojanized adware that infects a user's phone and roots the device when the owner is careless enough to install apps from non-official sources (third-party app stores).
While initially Shedun only rooted the device and installed various ad-delivery apps, a new version of the adware was discovered, one that asks the user to turn on the phone's accessibility features during its installation.
The user is presented with a message that says something like: "[APP_NAME] uses accessibility features to help stop inactive apps you aren't using. You'll see a standard privacy reminder. Please feel at ease about turning it on."
If the user is tricked by the friendly message in which he's asked to give the app access to these features, the adware will then be able to read data passed via Android popups and take action on its own, without any user interaction.
This allows the adware to download and install apps without the user ever doing anything. Below is a video of the adware delivering an ad, but installing another app without any kind of user interaction when the user taps the ad's "close" button.
Below is a video of the adware requesting access to the phone's accessibility features during its installation.
